[whatwg] HTTP Forms extension specification
Anne van Kesteren
annevk at annevk.nl
Fri Feb 22 08:37:45 PST 2013
On Fri, Feb 22, 2013 at 2:29 PM, Cameron Jones <cmhjones at gmail.com> wrote:
> The HTTP headers are restricted using a copy-paste of those in XHR which is
> included in the form submission process. Happy to hear any suggestions to
> improve the structure or general authoring.
You are not making the same checks as
http://xhr.spec.whatwg.org/#the-setrequestheader%28%29-method does.
E.g. I could inject a header value in your algorithm that is CRLF
followed by "Referer: mahahah".
Not really convinced by the use cases, but maybe someone else is.
--
http://annevankesteren.nl/
More information about the whatwg
mailing list